Lapsus$ Breached T-Mobile

April 26, 2022

Lapsus$ Breached T-Mobile

Industry: N/A | Level: Strategic | Source: Krebs On Security

Through review of activity from data extortion group Lapsus$, independent researcher, Brian Krebs, has identified a breach of wireless network operator, T-Mobile in March 2022. Krebs obtained private chat messages from the Lapsus$ members and indications are the group has breached T-Mobile multiple times, obtaining source code for various company projects to extort the communications provider for financial gain. T-Mobile has confirmed the breach, however, has stated customer and government data was not compromised in statements to Bleeping Computer, “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.” Chat logs, examined by Krebs, dove into the group’s operations thanks to the member’s candid conversations. The Lapsus$ hackers obtained access from purchasing compromised systems and credentials on the Russian Market. Additionally, the group has enticed insiders to supply access, with T-Mobile employees providing internal access and capabilities to Lapsus$ hackers to conduct “SIM swaps.” Although the hackers were shut out from time to time with T-Mobile employees logging into their own account or conducting a password change, Lapsus$ was able to discover or purchase another set of T-Mobile’s VPN credentials. A T-Mobile customer management tool, Atlas was compromised by Lapsus$ on March 19th, 2022, with the threat actors attempting to access accounts related to the FBI and Department of Defense however, the information required “additional verification procedures before any changes could be processed” thwarting the attackers’ attempts to access government account data

Lapsus$ Breached SuperCare Health in July 2021

April 19, 2022

Lapsus$ Breached SuperCare Health in July 2021

Industry: Healthcare | Level: Strategic | Source: CySecurity

SuperCare Health a respiratory care provider located in California disclosed a data breach that occurred between July 23rd and 27th, 2021 impacting 318,379 patients. Data extortion group Lapsus$ is identified to be responsible for the attack. Data compromised by the hackers include patient names, date of birth, and medical and insurance information. Only some users had their social security numbers and/or driver’s license information were compromised.

MFA Prompt-Bombing

April 05, 2022

Shedding light on techniques to abuse MFA, Ars Technica reports of a tactic known as MFA prompt-bombing.

Lapsus$ Hacks Globant

April 05, 2022

Lapsus$ Hacks Globant

Industry: Technology: Information Technology & Software | Level: Strategic | Source: Techmonitor

Information Technology and Software company, Globant has suffered a data breach by Lapsus$, as reported by TechMonitor. Despite the arrest of seven Lapsus$ members, the remaining members are undeterred following their “week-long vacation.” The data extortion group has released 70GBs of data from Globant that includes source code and admin passwords. Typically shared in Lapsus$ data leaks, an image shows Globant clients that include “BNP Parabas, Facebook, healthcare giant Abbot, Stifel and DHL” indicating potentially widespread implications of the hack. Input from researchers at VX-Underground and security specialist Brian Higgins from the company, Comparitech suggest Globant’s breach was due to poor “password hygiene.”

Microsoft Confirms LAPSUS$ Hack & Analysis

March 29, 2022

 

Microsoft Confirms LAPSUS$ Hack & Analysis

Industry: Technology | Level: Strategic | Source: Microsoft

Microsoft Security teams provide analysis on Lapsus$ (tracked by Microsoft as DEV-0537) data extortion group. Microsoft also confirms their data breach from Lapsus$ compromising project source code for Bing and Cortana. Microsoft statement for the impact and cause details “no customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” Microsoft shares details of observed tactics, techniques and procedures (TTP). Initial access was obtained fairly similar to most threat actor groups, gathering credentials from malware information-stealers such as redline, purchasing through access brokers and recruiting target company insiders (specific industries targets include those in telecommunication and technology-related.) In regard to reconnaissance and privilege escalation, the group targets vulnerabilities on internal servers and searches internal repositories for credentials and secrets. The group gathers intelligence from joining crisis calls and/or observing internal message channels to understand the organization’s incident response workflow. In the final stages of the attack, the hackers often create global admin accounts on cloud tenants “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources.” The attackers utilize a VPN for data exfiltration however, are cognizant of alerts such as those involving impossible travel, and select a sensible egress location geographically based on their target.

Arrests of Seven Lapsus$ Hackers

March 29, 2022

Reported by the BBC, London Police has arrested seven teenagers that are associated with the Lapsus$ data extortion group.

Okta Data Breach Update

March 29, 2022

Okta Data Breach Update

Industry: Technology | Level: Tactical | Source: Okta

Okta provides an update on the company blog regarding their security breach by Lapsus$. The Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer’s workstation. Despite the support engineer’s privileges identified as “SuperUser,” Okta emphasizes the role “is limited to basic duties in handling inbound support queries.” The forensic investigation conducted by Sitel and a third-party security firm extensively reviewed activity from “January 16-21, 2022 when the threat actor had access to the Sitel environment.” From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for “a new factor was added to a Sitel employee’s Okta account from a new location.” The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.

  • Anvilogic Scenarios:
    • Okta Suspicious Login then Priv Esc and AOO
    • Okta Suspicious Login then Account Manipulation
  • Anvilogic Use Cases:
    • Okta: Security Threat Detected
    • Okta: API Token Created
    • Okta: User/Group Privilege Grant
    • Okta: Application Modified or Deleted
    • Okta: Update or Delete sign on policy
    • Okta: MFA Reset or Deactivated
    • Okta: Policy Modified or Deleted
    • Okta: Policy Rule Modified or Deleted
    • Okta Multiple signins from Same IP address
    • Okta Impossible Travel Sign-In
    • Okta: Auth from Suspicious Country
    • Okta: Profile Updated
    • Okta: User Created

Okta Shares Investigation Update – 2022-03-24

March 24, 2022

Okta provided an update on the company blog regarding their security breach by Lapsus$. Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes.